b'\x0cThe U.S. International Trade Commission is an independent, nonpartisan, quasi-judicial federal agency\nthat provides trade expertise to both the legislative and executive branches of government, determines the\nimpact of imports on U.S. industries, and directs actions against certain unfair trade practices, such as\npatent, trademark, and copyright infringement. USITC analysts and economists investigate and publish\nreports on U.S. industries and the global trends that affect them. The agency also maintains and publishes\nthe Harmonized Tariff Schedule of the United States.\n\n\n\n\n                                             Commissioners\n                                        Deanna Tanner Okun, Chairman\n                                        Irving A. Williamson, Vice Chairman\n                                        Charlotte R. Lane\n                                        Daniel R. Pearson\n                                        Shara L. Aranoff\n                                        Dean A. Pinkert\n\x0c         UNITED STATES INTERNATIONAL TRADE COMMISSION\n\n                             OFFICE OF INSPECTOR GENERAL\n                                     WASHINGTON, DC 20436\n\nVIA ELECTRONIC TRANSMISSION\n\n\n\nSeptember 30, 2011                                                       OIG-JJ-020\n\n\nChairman Okun:\n\nThis memorandum transmits the Office of Inspector General\xe2\x80\x99s final report Audit of Patch\nManagement, OIG-AR-11-17. In finalizing the report, we analyzed management\xe2\x80\x99s comments on\nour draft report and have included those comments in their entirety in Appendix A.\n\nThis report contains four recommendations for corrective action. In the next 30 days, please\nprovide me with your management decisions describing the specific actions that you will take to\nimplement each recommendation.\n\nThank you for the courtesies extended to my staff during this audit.\n\nSincerely,\n\n\n\nPhilip M. Heneghan\nInspector General\n\x0c\x0c                               U.S. International Trade Commission\n\n                                                       Audit Report\n\n\n\n                                                Table of Contents\nResults of Audit............................................................................................. 1\n\nAreas for Improvement ................................................................................ 1\n   Area for Improvement 1: Use a single scanning tool to scan the Commission\xe2\x80\x99s entire\n   network. .......................................................................................................................... 1\n\n   Area for Improvement 2: Implement a regular patching schedule for all servers. ....... 2\n\nManagement Comments and Our Analysis ............................................... 3\nScope and Methodology................................................................................ 4\n\nAppendix A: Management Comments on Draft Report......................... A\n\n\n\n\nOIG-AR-11-17                                                    -i-\n\x0c\x0c                      U.S. International Trade Commission\n\n                                       Audit Report\n\n\n                                   Results of Audit\nHas the USITC implemented an effective, comprehensive system to maintain patch\nlevels?\n\nYes. The USITC has implemented an effective, comprehensive system to maintain\npatch levels.\n\nThe Commission uses a vulnerability scanner to scan the majority of its network\ninfrastructure on a weekly basis. The Commission\xe2\x80\x99s 455 workstations, which are the\nmost vulnerable and represent most of the systems on ITCNet, were missing a total of\n868 patches, for an average of 1.9 High Severity patches per workstation. This is an\nimprovement when compared to an audit last year that identified USITC workstations\nwere missing an average of 80 High Severity patches. Many of the missing workstation\npatches were due to outdated systems used to connect to the National Business Center.\nThis software requires that the Commission accept the risk of using outdated software to\nperform financial management functions. The seven workstations used for financial\nreporting exhibited an average of 16 missing High Severity patches per workstation,\nsignificantly skewing the total patching score. These seven workstations compose only\n1.5% of the Commission\xe2\x80\x99s workstations, but resulted in 13% of the risk. The\nCommission has made commendable progress in implementing an effective patch\nmanagement program.\n\nWe identified some areas that would support the Commission\xe2\x80\x99s efforts to improve its\npatching capabilities by consolidating its scanning efforts into a single tool that scans the\nentire network, and by implementing a patching schedule for all systems on its network.\n\n\n\n\n                             Areas for Improvement\n\n                                  Area for Improvement 1:\n\n         Use a single scanning tool to scan the Commission\xe2\x80\x99s entire network.\n\n\nThe Commission should use a single tool to scan its entire network for vulnerabilities. It\ncurrently uses a tool to scan its workstations and specific network address ranges that\nhost some of the servers on ITCNet; however, it is not using the same tool to scan all\nservers or ITCNet\xe2\x80\x99s entire network space.\n\nOIG-AR-11-17                                -1-\n\x0c                      U.S. International Trade Commission\n\n                                      Audit Report\n\n\nThe scanning tool has not been configured to perform complete scans of the\nCommission\xe2\x80\x99s networks. The Commission\xe2\x80\x99s internal network space has over 65,000 IP\naddresses, and only subsets of these IP addresses are scanned. In addition, the tool has\nnot been configured to scan 40 non-Windows servers.\n\nIf the Commission does not scan the entirety of its network space, some systems could\nhave unexpected but valid IP addresses on ITCNet and not be scanned.\n\nRecommendation 1:\n\n   Shrink the available network IP space to make it possible for all IP space to be\n   scanned on a weekly basis.\n\nRecommendation 2:\n\n   Use one tool to scan all infrastructure.\n\n\n\n                                  Area for Improvement 2:\n\n                Implement a regular patching schedule for all servers.\n\n\nTo reduce its level of risk, the Commission has implemented regular patching for most\nsystems, including Windows workstations and servers, and Linux servers.\n\nWe reviewed the patch status of 36 Linux servers. Thirty-four of these were missing an\naverage of 5.9 packages, and the remaining two were missing 58 and 276 packages.\nDuring the audit, we found that different operational groups were implementing different\nserver patching standards, resulting in the disparity between the majority of the servers\nand these two unpatched servers.\n\nWhile most systems are being patched regularly, these two servers remained in\nproduction in an unpatched status for months, significantly increasing the risk to the\nnetwork.\n\nRecommendation 3:\n\n   Use a single vulnerability scanning tool to fully scan all IP network ranges in ITCNet.\n\n\nOIG-AR-11-17                                  -2-\n\x0c                     U.S. International Trade Commission\n\n                                     Audit Report\n\n\nRecommendation 4:\n\n   Patch all systems on a regular basis.\n\n\n\n              Management Comments and Our Analysis\nOn September 27, 2011, Chairman Deanna Tanner Okun provided management\ncomments on the draft audit report. The Chairman agreed with our assessment that there\nare two areas for improvement, and recognized that the Commission can further improve\nits effective patch management system by implementing the recommendations detailed in\nthe two areas for improvement. The Chairman\xe2\x80\x99s response is provided in its entirety as\nAppendix A.\n\n\n\n\nOIG-AR-11-17                               -3-\n\x0c                     U.S. International Trade Commission\n\n                                     Audit Report\n\n\n                            Scope and Methodology\nScope:\n           The scope of this audit included all systems on all networks managed by the\n           U.S. International Trade Commission.\n\nMethodology:\n\n       1. Collect data identifying all network assets.\n       2. Collect existing vulnerability scans from all available network scanners.\n       3. Perform analysis of vulnerability scans, identifying patching patterns and\n          potential outliers.\n       4. Perform delta analysis of network assets versus scanning ranges.\n       5. Identify systems not being scanned or patched consistently.\n\n\nWe conducted this performance audit in accordance with Generally Accepted\nGovernment Auditing Standards (GAGAS). Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis\nfor our findings and conclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions based on\nour audit objectives.\n\n\n\n\nOIG-AR-11-17                               -4-\n\x0c               U.S. International Trade Commission\n\n                           Appendix A\n\n\n    Appendix A: Management Comments on Draft Report\n\n\n\n\nOIG-AR-11-17                  -A-\n\x0c\x0c\xe2\x80\x9cThacher\xe2\x80\x99s Calculating Instrument\xe2\x80\x9d developed by Edwin Thacher in the late 1870s. It is a cylindrical, rotating slide\nrule able to perform complex mathematical calculations involving roots and powers quickly. The instrument was used\nby architects, engineers, and actuaries as a measuring device.\n\x0c\x0c'